Sextortion scam knows your password, but don’t fall for it

Someone has been sending sextortion scam emails with a new twist – one aimed at making it more likely you’ll be duped into paying a blackmail fee.

One of the emails arrived at Naked Security yesterday, via a diligent reader, just as Brian Krebs was breaking the story on his site.

It claims to have compromising images of the recipient and goes on to ask for payment in order to stop the images being released publicly. Attempting to manipulate victims by claiming to have compromising images of them is known as sextortion, and its been used for years. What makes this scam different is that it’s added something extra: it contains a real password used by the victim.

The email reads:

I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct? actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email. What exactly did I do? I made a double-screen video. First part displays the video you were viewing (you've got a nice taste haha), and second part shows the recording of your webcam. exactly what should you do? Well, I believe, $2900 is a reasonable price tag for our little secret. You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google). BTC Address: 19ZFj3nLSJCgoAcvZSgxs6fWoEmvJhfKkY
(It is cAsE sensitive, so copy and paste it) Important:
You have one day to make the payment. (I've a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the BitCoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive the payment, I'll erase the video immidiately. If you want evidence, reply with "Yes!" and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

The power of a password

Many people, even those who feel as though they could have been seen in a compromising position, would normally be too jaded to fall for a sextortion scam with no evidence. Including a real password makes it seem more convincing, though, which might be enough to fool some people.

Several people mailed Krebs copies that they had received of this mail, and in all cases the passwords were more than ten years old. The person who forwarded the message to us also said that the password was an old one.

But still, how did they get the passwords?

Krebs mentions nefarious online lookup services that will grab this data for you. The other option is that the scammer has access to a list of compromised passwords from one of the many data breaches that have occurred within the last decade.

Websites aren’t supposed to store passwords in plain text but, sadly, some still do and ten years ago it was even more common.

Even when sites store your passwords securely, crooks who have a list of password hashes can run what’s known as a dictionary attack against the stolen list, trying millions of the most likely passwords for each user in the hope of getting a match.

If you’ve changed your password before the crooks get round to cracking it, then you win – the old, stolen password can’t login any more – but if you didn’t know (or weren’t told) there was a breach, the crooks might still get lucky.

Even if the crooks can’t login with your password by the time they crack it, they still know what is used to be, which is why you should never use the same, or even similar passwords, on different sites.

And, as this scam shows, even an old and retired password has “scare tactic” value to the crooks – the fact that they know what one of your passwords used to be is unsettling, to say the least.

There are some other notable things about this message. The first is that it apparently bypassed Gmail’s email filters, probably because of some random text included further down in the message.

The second is that some details vary in different copies of the mail. The sender’s email address (either in the reply-to field or in one case included in the text of the mail) change. The ransom amount also changes, and so does the bitcoin address.

Apparently, people are being taken in by this scam. Although at the time of writing the Bitcoin address in our email hasn’t received any funds, some of Krebs’ have. One address shows a transaction for 0.28847409 BTC on 6 July 2018. At that day’s prices, the transaction would have been worth around $1900. Another address reportedly used in a more or less identical mail received around 0.207145 BTC, or around $1300, on 9 July 2018.

These are unlikely to be the only cryptocurrency addresses used. That makes it a profitable little scheme for someone with lots of time, some scripting chops, and no soul.

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 3,123 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.